Data Processing Agreement

Last updated: May 5, 2026

This Data Processing Agreement ("DPA") forms an integral part of the agreement between Pantalytics B.V. and the customer ("Customer") for the use of Pantalytics services, including Odoo MCP Pro (the "Services"). It implements the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR") where Pantalytics processes personal data on behalf of the Customer.

By using the Services, the Customer accepts this DPA. Customers requiring a countersigned copy may request one at info@pantalytics.com.

1. Parties

  • Processor: Pantalytics B.V., Kromme Nieuwegracht 3, 3512 HC Utrecht, the Netherlands. Chamber of Commerce 98452290.
  • Controller: the legal entity that has entered into an agreement with Pantalytics for the use of the Services.

2. Definitions

Capitalised terms not defined in this DPA have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject" and "Personal Data Breach" are used as defined in Articles 4 and 33 GDPR.

3. Subject matter, nature and purpose

Pantalytics processes Personal Data on behalf of the Customer solely for the purpose of providing, operating, maintaining and supporting the Services, in accordance with the Customer's documented instructions as set out in the agreement, this DPA and configuration choices made by the Customer.

4. Duration

This DPA applies for as long as Pantalytics processes Personal Data on behalf of the Customer under the agreement, and survives termination to the extent necessary to comply with the obligations regarding return or deletion of data (Section 14).

5. Categories of Data Subjects and Personal Data

Depending on the Customer's use of the Services, Pantalytics may process the following categories of Personal Data on behalf of the Customer:

  • Identification and contact data of Customer's end users, employees, customers, suppliers and other contacts (such as names, email addresses, telephone numbers, job titles)
  • Account and authentication metadata (login timestamps, session identifiers)
  • Connection configuration data, including credentials for the Customer's Odoo instance (stored encrypted at rest)
  • Content of queries and responses transmitted between the Customer's Odoo instance and the Services
  • Usage and diagnostic data (timestamps, counts of calls, error logs)

Categories of Data Subjects: the Customer's representatives, employees, end users, and any natural persons whose data is contained in records the Customer chooses to make accessible to the Services.

Pantalytics does not request and the Customer should not transmit special categories of personal data (Article 9 GDPR) through the Services unless explicitly agreed in writing.

6. Obligations of Pantalytics as Processor

Pantalytics shall:

  • Process Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries, unless required to do so by Union or Member State law to which Pantalytics is subject (in which case Pantalytics will inform the Customer before processing, unless that law prohibits such information on important grounds of public interest)
  • Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Take all measures required pursuant to Article 32 GDPR (security of processing), as further described in Section 9
  • Respect the conditions for engaging Sub-processors set out in Section 10
  • Assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (Section 11)
  • Assist the Customer in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Pantalytics
  • At the choice of the Customer, delete or return all Personal Data after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Section 14)
  • Make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (Section 13)
  • Inform the Customer immediately if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions

7. Customer responsibilities

The Customer warrants that it has a valid legal basis for the processing carried out through the Services, that it has provided all required notices to Data Subjects, and that its instructions to Pantalytics comply with applicable law. The Customer is responsible for the lawfulness of Personal Data processing, the accuracy of the data, and the configuration of access controls within its own Odoo instance.

8. Confidentiality

Pantalytics keeps Personal Data confidential and ensures that all personnel with access to Personal Data are bound by written confidentiality obligations and have received appropriate training on data protection.

9. Security measures (Article 32 GDPR)

Pantalytics implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

  • Encryption in transit: TLS 1.2 or higher for all traffic between clients, the Services and sub-processors
  • Encryption at rest: sensitive credentials such as Odoo API keys are encrypted using industry-standard algorithms
  • Access control: role-based access control, principle of least privilege, multi-factor authentication for administrative access
  • Network security: firewalls, network segmentation, restricted administrative endpoints
  • Logging and monitoring: centralised logs, security monitoring, alerting on anomalous activity
  • Backups: regular encrypted backups with tested restore procedures
  • Resilience: ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • Vendor management: due diligence and contractual safeguards for Sub-processors
  • Personnel: background checks where appropriate, confidentiality agreements, security awareness training
  • Secure development: code review, dependency management, vulnerability scanning
  • Incident response: documented procedures for detection, containment, notification and remediation

Pantalytics regularly tests, assesses and evaluates the effectiveness of these measures and may update them to reflect industry best practice, provided the level of protection is not reduced.

10. Sub-processors

The Customer grants Pantalytics general authorisation to engage Sub-processors for the provision of the Services, subject to the conditions of this Section. The current list of Sub-processors is:

  • Hetzner Online GmbH (Germany) — compute and database hosting
  • CAOS AG (ZITADEL) (Switzerland; data hosted in EU region) — identity and authentication
  • Stripe Payments Europe Ltd. (Ireland) — payment processing and subscription billing
  • Sendinblue SAS (Brevo) (France) — transactional email
  • PostHog Inc. (EU cloud, Frankfurt) — product analytics
  • Odoo S.A. (Belgium) — CRM and live chat for Pantalytics' own marketing website (only relevant where the Customer has interacted with Pantalytics through those channels)

No AI provider as sub-processor. Pantalytics does not transmit Customer data to any large-language-model provider. Odoo MCP Pro acts solely as an MCP (Model Context Protocol) bridge between the Customer's chosen AI client (such as Claude Desktop, Cursor or a Mistral-based client) and the Customer's Odoo instance. Any AI inference is performed by the AI provider chosen and contracted by the Customer directly, outside the scope of this DPA. Pantalytics does not use Customer data to train AI or machine-learning models, and does not share Customer data with any AI provider.

Pantalytics shall:

  • Impose on each Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR
  • Remain fully liable to the Customer for the performance of the Sub-processor's obligations
  • Inform the Customer of any intended addition or replacement of Sub-processors at least 30 days in advance, by updating this list and notifying the Customer's primary contact by email
  • Allow the Customer to object to such changes on reasonable grounds related to data protection. If the Customer objects and the parties cannot reach agreement, the Customer may terminate the affected Services without penalty

11. International transfers

Personal Data is primarily stored and processed within the European Economic Area (EEA). Where transfers to a third country are necessary for the provision of the Services, Pantalytics ensures that such transfers are subject to appropriate safeguards under Chapter V GDPR, including:

  • Adequacy decisions of the European Commission (Article 45 GDPR), where applicable (for example for Switzerland)
  • Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) (Article 46(2)(c) GDPR), supplemented by additional technical and organisational measures where required following a transfer impact assessment

12. Data Subject rights

Pantalytics shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests from Data Subjects exercising their rights under Articles 12 to 23 GDPR. Where Pantalytics receives a Data Subject request directly, it will, without undue delay, forward the request to the Customer and not respond to it itself unless authorised to do so.

13. Personal Data Breaches

Pantalytics shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification shall, to the extent known at that time, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Pantalytics shall provide further information as it becomes available and shall reasonably cooperate with the Customer in fulfilling its obligations under Articles 33 and 34 GDPR.

14. Data Protection Impact Assessments

Pantalytics shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities required under Articles 35 and 36 GDPR, taking into account the nature of processing and the information available to Pantalytics.

15. Audits

Pantalytics shall make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR. Upon prior written request and no more than once per calendar year (except in the event of a material Personal Data Breach or a request from a supervisory authority), Pantalytics shall allow for and contribute to audits, including inspections, conducted by the Customer or by an independent auditor mandated by the Customer who is not a competitor of Pantalytics and is bound by confidentiality. Audits shall be conducted during normal business hours, with at least 30 days' prior notice, in a manner that does not unreasonably interfere with Pantalytics' operations, and at the Customer's expense. Where appropriate, Pantalytics may satisfy audit obligations by providing recent third-party audit reports or certifications.

16. Return or deletion of data

Upon termination or expiry of the Services, Pantalytics shall, at the choice of the Customer, return or delete all Personal Data processed on behalf of the Customer, and delete existing copies, within 30 days, unless Union or Member State law requires storage of the Personal Data. Backups containing Personal Data are deleted in line with the standard backup retention cycle, during which they remain protected by the security measures described in Section 9.

17. Liability

The liability of each party under or in connection with this DPA is governed by the limitations and exclusions of liability set out in the agreement between the parties. Nothing in this DPA limits liability that cannot be limited under applicable law, including the rights of Data Subjects under Article 82 GDPR.

18. Order of precedence

In the event of a conflict between this DPA and the agreement, this DPA prevails with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses prevail.

19. Governing law and jurisdiction

This DPA is governed by the laws of the Netherlands. Disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts in Utrecht, the Netherlands, without prejudice to any mandatory jurisdiction under the GDPR.

20. Changes

Pantalytics may update this DPA to reflect changes in applicable law, the list of Sub-processors, or improvements to its security measures, provided that the level of protection of Personal Data is not reduced. Material changes will be notified to the Customer at least 30 days before they take effect.

21. Contact

Questions, requests for a countersigned copy, audit requests and notifications under this DPA may be sent to info@pantalytics.com.